Validating Signed Route Requests with additional query parameters attached to the end of the signed URL

Does it chance anything if you turn tracking off?

https://sendgrid.com/docs/ui/account-and-settings/tracking/

Otherwise try turing $absolute off

$request->hasValidSignature(false)

Hi Sinnbeck,

Thank you for your suggestions.

• With regards to your first suggestion: In my first post I forgot to include that when I disabled the Google Analytics from Sendgrid, the mentioned query parameters (&utm_source=sendgrid.com&utm_medium=email&utm_campaign=website) were not added to the URL, and the link worked fine - It was validated successfully.

However, I am trying to find a way how these can be left on, and whatever is added to Laravel's generated URL, this URL still remains 'valid' (i.e. A solution in Laravel is needed, irrespective of Sendgrid's settings).

• Regarding the second point: I modified my code in the controller as suggested (shown below) to try turning $absolute off:

public function checkLink($id, Request $request) 
    {
        if (!$request->hasValidSignature(false)) {
            //abort(401, 'This link is not valid.');
            $verified = false;
            return view('auth.login')->with('id', $id)->with('message', $verified);    // When we redirect, we will have the message in our session
        }
	// My actions	
}

This did not solve the issue and caused another problem, where even if I paste the generated URL only (without the query parameters/Google Analytics added by Sendgrid), this is still interpreted as invalid.

Is there maybe something else that should be added when turning $absolute off?

Thank you for your suggestions/help, Brian

Ah I read the code for the absolute. And it i just the path it means..

Instead try removing the unwanted stuff from the request

 $request->request->remove('utm_source');
 $request->request->remove('utm_campaign');
$request->hasValidSignature()

Hi,

Thank you Sinnbeck! It's working perfectly now after removing the source, medium and campaign parameters.

I'll try to find a way how to 'keep only' the fields needed to validate the signed URL (the expires and the signature fields). I tried using:

$request->only('expires', 'signature');

However this did not work for me. When returning $request, I still got {"expires":"1597911799","signature":"8b3a0889c3d9203417a563d2dacf9062d0dd3a0d6d97ac373867762496ba17b8","utm_source":"sendgrid.com","utm_medium":"email","utm_campaign":"website"}

I'll try some other ways and see what I get.

Regards, Brian

You could probably get them all and loop over and remove those you dont need?

foreach (array_keys($request->all()) as $key) {
    if (!in_array($key, ['expires', 'signature']) {
        $request->request->remove($key);
    }
}
$request->hasValidSignature()

Thanks, that seems to be a good way of getting rid of all unwanted parameters. Will try it out and see if it works.

That worked well for me. Better than specifying what to remove in case other parameters are added to the URL. Thanks!

I know this is an old conversation but I faced the same issue recently.

If you are using signed middleware you can add parameters to the $ignore array in ValidateSignature middleware class (\App\Http\Middleware\ValidateSignature::class).

/**
     * The names of the query string parameters that should be ignored.
     *
     * @var array<int, string>
     */
    protected $except = [
        // 'fbclid',
        // 'utm_campaign',
        // 'utm_content',
        // 'utm_medium',
        // 'utm_source',
        // 'utm_term',
    ];

or you can create your own middleware using

if ($request->hasValidSignatureWhileIgnoring($ignore, $relative !== 'relative')) {
            return $next($request);
 }